You smell that? Sheep, son. Nothing in the world smells like that. I love the smell of sheep in the morning.

Menu

I received my new probe micro-positioner, two S-931 from Signatone and my first idea was to use them to dump the Firmware of the previous PIC16C57 to discover this method, but quickly I needed to delayer this chip. There are many ways to do that the most classic is to use HF by doing a window to selectively remove glass over the traces. Like I said before I don’t have a chemical lab and so I don’t want to use HF (this is a deadly chemical compound). Since I have a spare microscope to do test I bought a Laser from ebay to test some laser surgery on silicon die.

Current Setup

I took a 200mW green one. The choice of green comes from the Signatone website. Before going further I must say that the experiment only had few chance to be a success, 200mW CW laser is not really powerful and burn only black plastic, plus the optic on my microscope is not manufactured for laser use (Mitutoyo have series of objective for that), but I thought that concentrating the laser on a really small surface could do the job. I did the test using my old microscope (on the right):

The results is promising but I need to do a better setup with an other laser, in fact I managed to dig a small hole in the glass of a chip by putting the laser right behind a Neo 40x objective (the objectiv didn’t survive to this test):

Some pictures in BF and DF of the point of impact.

Future tests

For now I need to find an other Laser, those results confirm the need of a pulsed one (Q-Switched YAG like advise by some people), since finding a TEC/air cooled YAG setup for few bucks is hard I have 4 choices:

Trying 1W Green or IR laser

Maybe that could do the job but I think pulse is necessary to have the max amount of heat at one instant to avoid the dissipation in the die. I will try this anyway when I’ll have enough money (or if someone lend me one ;))

eBaying to find a YAG setup

This option could be the best but need lot of search to find good cavity/lamp and rod in an usable shape (many ebay rod are scratched and I don’t want to polish them) plus will need work to design a good and secured PSU to integrate to the microscope.

Using a tattoo removal machine

There are many cheap tattoo removal machine on eBay (I won’t use those on my body but…) based on Q-Switched YAG laser and delivering IR and Green pulse, there are two drawbacks, first I’ll need to put water near the setup to cool the laser machine and that’s not wanted for home use, second it’s not so cheap (about 1000$). At the moment it seems to be my best option because I know nobody selling a used setup for a reasonable price (I would love to get a SSY-1).

Signing a contract with the NSA

and stole laser setup before running to Ecuador 😀

So if you know people having used setup or piece of laser etc…. I’ll be interested. No need to say that the full setup will be documented as much as possible to be cloned around the world 🙂

After some tests on reading back the Program Memory of the PIC16C57C (I have many of them, thanks to you ;)) I finally managed to have a full working dump. The first one based on the previously decaped PIC was half a failure because of the nail polish area, there was many bad opcode right in the middle of the code and especially in the most interesting part. But that was a good starting point fuse were not protected against UV.

Following the results only the little area on top right of the picture was in fact reset to 0xFF, the big part was protected (thanks to the mega Gemey long lasting UV resistant nail polish). To be sure of that we did a Full zero programming of the program memory and read it back. Quickest option was to redo the whole process on an other part.

The second try was worst with a much more destroyed code dump, but the Zero test for leak in the UV shield passed without any problem. In fact after some investigation I shorted some bond wires together while applying the polish on the EPROM area. It gave some weird stuff and totally broke the code.

Here are some details of the fuse section, I think the Code Protect one is copied in the C version of that Pic because there is still 4 fuses where the datasheet gives a 12bits fuse register. It could make sense to do that to avoid undefined values in the code when reading the fuses (in fact this feature is present on all revision of the serie). This part is just a theory, if you have a better idea don’t hesitate to post it.

For a little project I need to decap a PIC16C57C but keeping it alive for analysis. I finally manage to have a clean “localized” decaping but I did many test before. If you have stuff needed to work with HNO3 it will be easier, there are many article on that point on the mega Interweb. In my case I’m more comfortable with H2SO4 mainly because it’s easier to source (drain cleaner that’s what I use) where Nitric Acid is regulated (explosiv manufacturing ?). So my today results seem promising, the decaping is really clean.

First post on a blog I wanted to do for a long time, it will be specialized in pictures of electronics failures. Since the first time that idea pops out I did some IC reverse engineering (at least I try to learn;)). So I will have more stuff to post here.